Pwn2Own loses HP as its sponsor amid new cyberweapon restrictions

The next scheduled Pwn2Own hacking competition has lost Hewlett-Packard as its longstanding sponsor out of legal concerns that the company could run afoul of recent changes to an international treaty that governs software exploits.

Dragos Ruiu, organizer of both Pwn2Own and the PacSec West security conference in Japan, said HP lawyers spent more than $1 million researching the recent changes to the so-called Wassenaar Arrangement. He said they ultimately concluded that the legal uncertainty and compliance hurdles were too high for them to move forward.

"I am left being kind of grumpy now that HP is not involved," Ruiu told Ars. He said that he plans to organize a scaled-down hacking competition to fill the void at this year's conference, which is scheduled for November 11 and 12.

Read 7 remaining paragraphs | Comments

Pwn2Own: The perfect antidote to fanboys who say their platform is safe

For the past seven years, an annual hacker competition that pays big cash prizes has driven home the point that no Internet-connected software, regardless of who made it, is immune to exploits that surreptitiously install malware on the underlying computer. The first day of this year's Pwn2Own 2014 and the companion contest that ran concurrently stuck with much the same theme, with successful hacks of the Internet Explorer, Firefox, and Safari browsers and Adobe's Flash and Reader applications.

Contestants from Vupen, the France-based firm that sells fully weaponized exploits to governments it deems non-repressive, fetched $400,000 during day one of the two-day event. The haul came from exploits that allowed team members to gain full control over IE, Firefox, Flash, and Reader. Vupen's Firefox attack was one of three hacks that successfully compromised the Mozilla browser, with researchers Mariusz Mlynski and Juri Aedla also taking it down, feats that won them $50,000 each. At the Pwn4Fun contest held at the same CanSecWest security conference, researchers from Google toppled Apple's Safari browser, and their counterparts from HP commandeered IE.

During day two, Chrome was on tap to be tested. If it is successfully felled, it wouldn't be the first time. Meanwhile, George "GeoHot" Hotz, the hacker who famously bypassed the copyright restrictions of the Sony PlayStation 3, reportedly became the fourth contestant to defeat Firefox during day two. Update: Vupen has reportedly pwned Chrome as well.

Read 3 remaining paragraphs | Comments

Pwn2Own takes down IE 10 running on a Surface Pro

Browser security took a drubbing during the first day of an annual hacker contest, with the latest versions of Microsoft's Internet Explorer, Google's Chrome, and Mozilla's Firefox all succumbing to exploits that allowed attackers to hijack the underlying computer.

The Pwn2Own contest, which is sponsored by HP's Tipping Point division, paid $100,000 for the successful exploitation of IE 10 running on a Surface Pro tablet powered by Windows 8. The attack was impressive because it was able to bypass a variety of anti-exploit technologies Microsoft has added to its flagship operating system and browser over the past decade. To succeed, researchers from France-based Vupen Security had to combine multiple attacks, a technique that is growing increasingly common.

"We've pwned MS Surface Pro with two IE10 zero-days to achieve a full Windows 8 compromise with sandbox bypass," the firm announced by Twitter on Wednesday.

Read 6 remaining paragraphs | Comments

Highlights of CanSecWest Day 2: Hacks Both Common and Sublime

Another day has passed here at CanSecWest with a mixed bag of results. Overall the content was, again, quite good, PWN2OWN shows us the future, HallCon and BarCon were all kinds of awesome, and I had two distinct “a ha!” moments.

My first “a ha!” came during DongJoo Ha and KiChan Ahn’s “Is Your Gaming Console Safe?: Embedded Devices, an AntiVirus-free Safe Hideout for Malware.” You might ask “Marcus, what is so compelling here? They’re just gaming consoles,” and that’s true. You know what they also are? Embedded devices with distinctly powerful CPUs. With the growth of home-brew builds (customized operating systems) available for many gaming consoles, more and more these are being looked at as attack and attacker platforms.

One example I found particularly powerful was a Nintendo DS running metasploit to compromise Windows devices. Clearly, a gaming console is just like any other device on the network. The second demo (and the actual “a ha!” moment) was when the presenters actually injected code into the gaming files themselves. Yes, boys and girls, you read that right. It is possible to inject code into games just as you would inject code into any DLL or application. They showed this on both installed games and games downloading from the Internet. I was left a bit unclear as to the limitation on an unbroken gaming console, but the implications are far reaching–a networked device is a networked device. They can all be 0wned. When you combine this with the fact that there is no awareness that malware or attacks can happen on these types of embedded devices along with the fact that people will download and install almost anything without a second thought, the potential for abuse is clear.

The Adobe sessions at CanSecWest this year were one of the main reasons I attended. Adobe is a huge target for cybercriminals and malware writers lately as client-side exploits are quite the trend. While attending Haifei Li’s “Understanding and Exploiting Flash ActionScript Vulnerabilities,” I was very disappointed–mainly because I could not understand the speaker. Later in the day, however, I reviewed the slides and enjoyed my second “a ha!” moment.

The slides are remarkably clear in explaining the essence of ActionScript vulnerabilities. They are due, according to Li, to various program flow-calculating errors in the Verification/Generation Process, and that the Verification Flow and the Execution Flow are not the same. This is a very big deal because code can pass verification mode but during execution mode can still trigger a vulnerability. Byte-code blocks make it difficult for the verification process to recognize the correct flow, which can then result in many ActionScript vulnerabilities. Clearly, ActionScript vulnerabilities and exploits will be with us for quite some time.

The final session that struck home for me was “Welcome To Rootkit Country,” from Graeme Neilso. His targets were atypical of traditional rootkit targets as he focused on firewalls and routers. Neilso’s question “Can the integrity of the OS be trusted?” had many heads nodding in agreement. (I was one of them.) Even I was surprised by the amount of firmware that still uses hardcoded passwords and no integrity checking. Let’s be honest: You are just asking for trouble here. Neilso walked us through rolling your own rooted firmware as well as methods of installing both remotely and locally across a wide variety of firewalls. Again, I walked away believing this more firmly than ever–any device, any OS, any application can be broken or 0wned. At this point I was roped into hallway discussions on the future of embedded-device security, rootkits, and what PWN2OWN really means for the future of the security industry.

When you consider how much infrastructure runs on embedded devices and how enterprises are more and more rapidly adopting mobile technologies, these types of conferences are becoming more relevant than ever.

Although it was really no surprise, the iPhone 0wnage by Charlie Miller during PWN2OWN was a portent of the near future of iPhone exploits and attacks. Miller used a drive-by download attack to 0wn the phone. Like many attacks, the phone user is simply required to surf to a rigged website. This caused a browser crash, but once it was relaunched Miller was able to hijack the entire address book. Pay attention to this type of attack, as it has far-reaching implications. Far more impressive to me was the BlackBerry attack by Vincenzo Iozzo, Willem Pinckaers, and Ralf Philipp Weinmann. By using vulnerabilities in WebKit, an open-source browser recently added to Blackberry, they were able to steal the device’s contact list, image database, and even write a file into it by chaining together a series of bugs. What makes this so impressive? The fact that BlackBerry is an almost unknown system. The attackers had to rely on assumptions on Java Virtual Machine and browser functionality. RIM is said to be planning to add ASLR and DEP in the future; however, because there are established evasions for these defenses, we shall see where this goes.

Today holds one more Adobe session for me, stale pointer theory, and some cool fuzzing.